Windows Analysis Report
run0796.exe

Overview

General Information

Sample name: run0796.exe
Analysis ID: 1530692
MD5: 6e912c37e25ed34d27440036de24c71a
SHA1: 8d2173a6e5239616f131c3c72b6572c56123dac1
SHA256: 6e120026e8e7473a4d12f13a157c773b82a04fe90a841d9a8c46da438a8bb58d
Tags: exeuser-QuangNguyen
Infos:

Detection

Score: 29
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Found pyInstaller with non standard icon
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Source: run0796.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681336615.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: run0796.exe, 00000000.00000003.1678682813.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: run0796.exe, run0796.exe, 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp
Source: Binary string: ucrtbase.pdb source: run0796.exe, 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmp, ucrtbase.dll.0.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-memory-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-debug-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: run0796.exe, 00000000.00000003.1680583247.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.0.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681198263.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680904078.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\python38.pdb source: run0796.exe, 00000002.00000002.1691664835.00007FFDFB75D000.00000040.00000001.01000000.00000005.sdmp
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-math-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: run0796.exe, 00000000.00000003.1679187945.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.0.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-environment-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681805406.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-string-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678508272.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: run0796.exe, 00000000.00000003.1678781344.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l2-1-0.dll.0.dr
Source: Binary string: vcruntime140.amd64.pdbGCTL source: run0796.exe, 00000000.00000003.1677458140.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679621455.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679107388.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678587999.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681028597.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679035664.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\select.pdb source: run0796.exe, run0796.exe, 00000002.00000002.1692491940.00007FFE148E1000.00000040.00000001.01000000.00000008.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679820104.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.0.dr
Source: Binary string: ucrtbase.pdbUGP source: run0796.exe, 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmp, ucrtbase.dll.0.dr
Source: Binary string: vcruntime140.amd64.pdb source: run0796.exe, 00000000.00000003.1677458140.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681252863.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681742787.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-time-l1-1-0.dll.0.dr
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F196888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F1A0A44 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF60F1A0A44
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F1869F0 FindFirstFileExW,FindClose, 0_2_00007FF60F1869F0
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F196888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F196888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 2_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F1A0A44 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_00007FF60F1A0A44
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F1869F0 FindFirstFileExW,FindClose, 2_2_00007FF60F1869F0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F196888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 2_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013C2DFC FindFirstFileExW, 2_2_00007FFE013C2DFC
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013EEFEC FindFirstFileExW,FindClose,FindNextFileW, 2_2_00007FFE013EEFEC
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE132763D8 recv, 2_2_00007FFE132763D8
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: run0796.exe, 00000000.00000003.1677458140.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mic
Source: run0796.exe, 00000000.00000003.1681742787.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/
Source: run0796.exe, 00000000.00000003.1681742787.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678587999.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679621455.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679820104.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.usert
Source: run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.usertrtok
Source: run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.usertrtokstrtok_sucrtbase.strtok_sstrxfrmucrtbase.strxfrmtolowerucrtbase.tolowertoupperuc
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: run0796.exe, 00000000.00000003.1681742787.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678587999.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679621455.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679107388.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: run0796.exe, 00000000.00000003.1678587999.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert
Source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: run0796.exe, 00000000.00000003.1681742787.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678587999.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679621455.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679107388.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: run0796.exe, 00000002.00000002.1691664835.00007FFDFB75D000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: run0796.exe, 00000000.00000003.1681742787.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678781344.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678587999.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.eclipse.org/0
Source: run0796.exe, 00000002.00000003.1687968485.000001AA09DAE000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687917821.000001AA09D83000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr String found in binary or memory: http://www.python.org/
Source: run0796.exe, 00000000.00000003.1683564349.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: run0796.exe, 00000002.00000002.1691089775.000001AA0A490000.00000004.00001000.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687549544.000001AA09DB5000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: base_library.zip.0.dr String found in binary or memory: http://www.robotstxt.org/norobots-rfc.txt
Source: run0796.exe, 00000002.00000003.1689777496.000001AA09DCD000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689693482.000001AA09DCD000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688367932.000001AA09D71000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687263356.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688342137.000001AA09D9D000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000002.1690470228.000001AA09D7F000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688953295.000001AA09D72000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688481101.000001AA09DA0000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689983516.000001AA09D7C000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689837022.000001AA09D76000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687390844.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688803710.000001AA09DCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: run0796.exe, 00000002.00000002.1690891791.000001AA0A110000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: run0796.exe, 00000002.00000002.1690879972.000001AA09DCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: run0796.exe, 00000002.00000003.1689777496.000001AA09DCD000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689693482.000001AA09DCD000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688367932.000001AA09D71000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687263356.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688342137.000001AA09D9D000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000002.1690470228.000001AA09D7F000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688953295.000001AA09D72000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688481101.000001AA09DA0000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689983516.000001AA09D7C000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689837022.000001AA09D76000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687390844.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688803710.000001AA09DCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: run0796.exe, 00000002.00000003.1689777496.000001AA09DCD000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689693482.000001AA09DCD000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688367932.000001AA09D71000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687263356.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688342137.000001AA09D9D000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000002.1690470228.000001AA09D7F000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688953295.000001AA09D72000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688481101.000001AA09DA0000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689983516.000001AA09D7C000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689837022.000001AA09D76000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687390844.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688803710.000001AA09DCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: run0796.exe, 00000002.00000003.1687968485.000001AA09DAE000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687917821.000001AA09D83000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr String found in binary or memory: https://mahler:8092/site-updates.py
Source: run0796.exe, 00000000.00000003.1681742787.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678587999.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679621455.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679820104.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr String found in binary or memory: https://www.openssl.org/H
Detected potential crypto function
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F196888 0_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F1858E0 0_2_00007FF60F1858E0
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F1A4EB0 0_2_00007FF60F1A4EB0
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F1A5DFC 0_2_00007FF60F1A5DFC
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F19FA98 0_2_00007FF60F19FA98
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F1A58B0 0_2_00007FF60F1A58B0
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F19D888 0_2_00007FF60F19D888
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F1A512C 0_2_00007FF60F1A512C
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F19710C 0_2_00007FF60F19710C
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F190774 0_2_00007FF60F190774
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F18FF54 0_2_00007FF60F18FF54
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F194FD0 0_2_00007FF60F194FD0
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F1916D4 0_2_00007FF60F1916D4
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F1966D4 0_2_00007FF60F1966D4
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F190570 0_2_00007FF60F190570
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F19CD74 0_2_00007FF60F19CD74
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F18FD50 0_2_00007FF60F18FD50
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F19FA98 0_2_00007FF60F19FA98
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F1A2DC0 0_2_00007FF60F1A2DC0
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F192624 0_2_00007FF60F192624
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F198D10 0_2_00007FF60F198D10
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F190364 0_2_00007FF60F190364
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F19133C 0_2_00007FF60F19133C
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F187430 0_2_00007FF60F187430
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F1A8BF8 0_2_00007FF60F1A8BF8
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F1A325C 0_2_00007FF60F1A325C
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F1A0A44 0_2_00007FF60F1A0A44
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F190160 0_2_00007FF60F190160
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F1921EC 0_2_00007FF60F1921EC
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F196888 0_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F192A28 0_2_00007FF60F192A28
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F19D208 0_2_00007FF60F19D208
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F1A4EB0 2_2_00007FF60F1A4EB0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F1A5DFC 2_2_00007FF60F1A5DFC
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F1A58B0 2_2_00007FF60F1A58B0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F196888 2_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F19D888 2_2_00007FF60F19D888
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F1858E0 2_2_00007FF60F1858E0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F1A512C 2_2_00007FF60F1A512C
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F19710C 2_2_00007FF60F19710C
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F190774 2_2_00007FF60F190774
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F18FF54 2_2_00007FF60F18FF54
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F194FD0 2_2_00007FF60F194FD0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F1916D4 2_2_00007FF60F1916D4
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F1966D4 2_2_00007FF60F1966D4
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F190570 2_2_00007FF60F190570
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F19CD74 2_2_00007FF60F19CD74
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F18FD50 2_2_00007FF60F18FD50
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F19FA98 2_2_00007FF60F19FA98
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F1A2DC0 2_2_00007FF60F1A2DC0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F192624 2_2_00007FF60F192624
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F198D10 2_2_00007FF60F198D10
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F190364 2_2_00007FF60F190364
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F19133C 2_2_00007FF60F19133C
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F187430 2_2_00007FF60F187430
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F1A8BF8 2_2_00007FF60F1A8BF8
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F1A325C 2_2_00007FF60F1A325C
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F1A0A44 2_2_00007FF60F1A0A44
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F19FA98 2_2_00007FF60F19FA98
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F190160 2_2_00007FF60F190160
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F1921EC 2_2_00007FF60F1921EC
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F196888 2_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F192A28 2_2_00007FF60F192A28
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F19D208 2_2_00007FF60F19D208
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE0138423C 2_2_00007FFE0138423C
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE0138B0B0 2_2_00007FFE0138B0B0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE01389120 2_2_00007FFE01389120
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE0139D408 2_2_00007FFE0139D408
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE0138A400 2_2_00007FFE0138A400
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE0139641C 2_2_00007FFE0139641C
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013822A4 2_2_00007FFE013822A4
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE0140B2AC 2_2_00007FFE0140B2AC
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013922F0 2_2_00007FFE013922F0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013A0580 2_2_00007FFE013A0580
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013A654C 2_2_00007FFE013A654C
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013AC570 2_2_00007FFE013AC570
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE01394788 2_2_00007FFE01394788
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013957B8 2_2_00007FFE013957B8
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013887D0 2_2_00007FFE013887D0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013C2694 2_2_00007FFE013C2694
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013826A0 2_2_00007FFE013826A0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE0139C6B0 2_2_00007FFE0139C6B0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE01388650 2_2_00007FFE01388650
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013AD6E0 2_2_00007FFE013AD6E0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013E46F8 2_2_00007FFE013E46F8
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE01383984 2_2_00007FFE01383984
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE0142495C 2_2_00007FFE0142495C
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE0139195E 2_2_00007FFE0139195E
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE01385A20 2_2_00007FFE01385A20
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013EEA3C 2_2_00007FFE013EEA3C
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013EE864 2_2_00007FFE013EE864
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE01382B90 2_2_00007FFE01382B90
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE0138BBB0 2_2_00007FFE0138BBB0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013AAB55 2_2_00007FFE013AAB55
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE0138DC30 2_2_00007FFE0138DC30
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE0139CAE4 2_2_00007FFE0139CAE4
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE01381AF8 2_2_00007FFE01381AF8
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013A8D50 2_2_00007FFE013A8D50
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013ABE10 2_2_00007FFE013ABE10
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE01396E30 2_2_00007FFE01396E30
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013EDDF0 2_2_00007FFE013EDDF0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE0139DC60 2_2_00007FFE0139DC60
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE01388D30 2_2_00007FFE01388D30
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013BACC4 2_2_00007FFE013BACC4
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE01425CC0 2_2_00007FFE01425CC0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE01383000 2_2_00007FFE01383000
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE0138A030 2_2_00007FFE0138A030
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE01388EA0 2_2_00007FFE01388EA0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013EEE44 2_2_00007FFE013EEE44
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013C2EC0 2_2_00007FFE013C2EC0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE0139CEC0 2_2_00007FFE0139CEC0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013ECEC0 2_2_00007FFE013ECEC0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE13271000 2_2_00007FFE13271000
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE13287170 2_2_00007FFE13287170
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE13273BC0 2_2_00007FFE13273BC0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE133071CC 2_2_00007FFE133071CC
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE1330D130 2_2_00007FFE1330D130
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE148EAB70 2_2_00007FFE148EAB70
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE148E21C0 2_2_00007FFE148E21C0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\run0796.exe Code function: String function: 00007FFE13279580 appears 148 times
Source: C:\Users\user\Desktop\run0796.exe Code function: String function: 00007FF60F181CB0 appears 38 times
Source: C:\Users\user\Desktop\run0796.exe Code function: String function: 00007FFE132794D8 appears 35 times
Source: C:\Users\user\Desktop\run0796.exe Code function: String function: 00007FFE01386448 appears 32 times
Source: C:\Users\user\Desktop\run0796.exe Code function: String function: 00007FF60F181C50 appears 90 times
PE file does not import any functions
Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs run0796.exe
Source: run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibsslH vs run0796.exe
Source: run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_hashlib.pyd. vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1677458140.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dll^ vs run0796.exe
Source: run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_ssl.pyd. vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs run0796.exe
Source: run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_lzma.pyd. vs run0796.exe
Source: run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_bz2.pyd. vs run0796.exe
Source: run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1679107388.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681252863.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681742787.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681805406.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1678508272.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1679035664.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1682880825.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameucrtbase.dllj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1679187945.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1680583247.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681028597.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681198263.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1679820104.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681336615.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1678781344.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1679621455.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1680904078.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1678682813.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1678587999.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe Binary or memory string: OriginalFilename vs run0796.exe
Source: run0796.exe, 00000002.00000003.1687263356.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs run0796.exe
Source: run0796.exe, 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: OriginalFilenamevcruntime140.dll^ vs run0796.exe
Source: run0796.exe, 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs run0796.exe
Source: run0796.exe, 00000002.00000003.1687390844.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs run0796.exe
Source: run0796.exe, 00000002.00000003.1686458281.000001AA09D6F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs run0796.exe
Source: run0796.exe, 00000002.00000002.1692113514.00007FFDFB89F000.00000004.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilenamepython38.dll. vs run0796.exe
Source: run0796.exe, 00000002.00000002.1692562185.00007FFE148EC000.00000004.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs run0796.exe
Source: run0796.exe, 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenameucrtbase.dllj% vs run0796.exe
Source: run0796.exe, 00000002.00000003.1686711023.000001AA09D6F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs run0796.exe
Source: libcrypto-1_1.dll.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9987125577836082
Source: libssl-1_1.dll.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9899651759530792
Source: python38.dll.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.999172404661017
Source: unicodedata.pyd.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9939845202137546
Source: classification engine Classification label: sus29.winEXE@4/51@0/0
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F186680 GetLastError,FormatMessageW,WideCharToMultiByte, 0_2_00007FF60F186680
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_03
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722 Jump to behavior
Source: run0796.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\run0796.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: run0796.exe String found in binary or memory: can't send non-None value to a just-started generator
Source: run0796.exe String found in binary or memory: --help
Source: run0796.exe String found in binary or memory: --help
Source: C:\Users\user\Desktop\run0796.exe File read: C:\Users\user\Desktop\run0796.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\run0796.exe "C:\Users\user\Desktop\run0796.exe"
Source: C:\Users\user\Desktop\run0796.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\run0796.exe Process created: C:\Users\user\Desktop\run0796.exe "C:\Users\user\Desktop\run0796.exe"
Source: C:\Users\user\Desktop\run0796.exe Process created: C:\Users\user\Desktop\run0796.exe "C:\Users\user\Desktop\run0796.exe" Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe File opened: C:\Users\user\Desktop\pyvenv.cfg Jump to behavior
Source: run0796.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: run0796.exe Static file information: File size 5364263 > 1048576
Source: run0796.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: run0796.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: run0796.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: run0796.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: run0796.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: run0796.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: run0796.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: run0796.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681336615.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: run0796.exe, 00000000.00000003.1678682813.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: run0796.exe, run0796.exe, 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp
Source: Binary string: ucrtbase.pdb source: run0796.exe, 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmp, ucrtbase.dll.0.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-memory-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-debug-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: run0796.exe, 00000000.00000003.1680583247.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.0.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681198263.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680904078.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\python38.pdb source: run0796.exe, 00000002.00000002.1691664835.00007FFDFB75D000.00000040.00000001.01000000.00000005.sdmp
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-math-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: run0796.exe, 00000000.00000003.1679187945.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.0.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-environment-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681805406.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-string-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678508272.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: run0796.exe, 00000000.00000003.1678781344.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l2-1-0.dll.0.dr
Source: Binary string: vcruntime140.amd64.pdbGCTL source: run0796.exe, 00000000.00000003.1677458140.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679621455.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679107388.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678587999.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681028597.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679035664.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source: Binary string: C:\A\21\b\bin\amd64\select.pdb source: run0796.exe, run0796.exe, 00000002.00000002.1692491940.00007FFE148E1000.00000040.00000001.01000000.00000008.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679820104.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.0.dr
Source: Binary string: ucrtbase.pdbUGP source: run0796.exe, 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmp, ucrtbase.dll.0.dr
Source: Binary string: vcruntime140.amd64.pdb source: run0796.exe, 00000000.00000003.1677458140.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681252863.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.0.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681742787.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-time-l1-1-0.dll.0.dr
Source: run0796.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: run0796.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: run0796.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: run0796.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: run0796.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: api-ms-win-core-file-l1-1-0.dll.0.dr Static PE information: 0xC4F451B9 [Sun Sep 16 17:54:01 2074 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE13287170 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect, 2_2_00007FFE13287170
PE file contains sections with non-standard names
Source: run0796.exe Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013A44F9 push rdi; ret 2_2_00007FFE013A4502
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013A983D push rdi; ret 2_2_00007FFE013A9844
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013A4A15 push rdi; ret 2_2_00007FFE013A4A1B
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013A9F52 push rdi; ret 2_2_00007FFE013A9F56
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE1330CB1B push rbp; retf 2_2_00007FFE1330CB28
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Found pyInstaller with non standard icon
Source: C:\Users\user\Desktop\run0796.exe Process created: "C:\Users\user\Desktop\run0796.exe"
Drops PE files
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\python38.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F1850B0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00007FF60F1850B0
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\python38.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\run0796.exe API coverage: 3.3 %
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F196888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F1A0A44 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF60F1A0A44
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F1869F0 FindFirstFileExW,FindClose, 0_2_00007FF60F1869F0
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F196888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 0_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F196888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 2_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F1A0A44 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_00007FF60F1A0A44
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F1869F0 FindFirstFileExW,FindClose, 2_2_00007FF60F1869F0
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F196888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 2_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013C2DFC FindFirstFileExW, 2_2_00007FFE013C2DFC
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013EEFEC FindFirstFileExW,FindClose,FindNextFileW, 2_2_00007FFE013EEFEC
Source: run0796.exe, 00000002.00000003.1688367932.000001AA09D71000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689189339.000001AA09D8C000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688953295.000001AA09D72000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000002.1690694229.000001AA09D8F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F199C54 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF60F199C54
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE13287170 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect, 2_2_00007FFE13287170
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F1A2630 GetProcessHeap, 0_2_00007FF60F1A2630
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F199C54 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF60F199C54
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F18ABE4 SetUnhandledExceptionFilter, 0_2_00007FF60F18ABE4
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F18AA3C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF60F18AA3C
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F18A190 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF60F18A190
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F199C54 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FF60F199C54
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F18ABE4 SetUnhandledExceptionFilter, 2_2_00007FF60F18ABE4
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F18AA3C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FF60F18AA3C
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FF60F18A190 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FF60F18A190
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013C22DC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFE013C22DC
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE013ECC28 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFE013ECC28
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE13273AD4 SetUnhandledExceptionFilter, 2_2_00007FFE13273AD4
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE13273E0E SetUnhandledExceptionFilter, 2_2_00007FFE13273E0E
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE13279040 SetUnhandledExceptionFilter, 2_2_00007FFE13279040
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE132738EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFE132738EC
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE1330D414 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FFE1330D414
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE148E1EEC IsProcessorFeaturePresent,00007FFE1330CEB0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFE1330CEB0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FFE148E1EEC
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\run0796.exe Process created: C:\Users\user\Desktop\run0796.exe "C:\Users\user\Desktop\run0796.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F1A8A40 cpuid 0_2_00007FF60F1A8A40
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\run0796.exe Code function: GetPrimaryLen,EnumSystemLocalesW, 2_2_00007FFE013EB074
Source: C:\Users\user\Desktop\run0796.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_00007FFE013EB62C
Source: C:\Users\user\Desktop\run0796.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_00007FFE013EB4B8
Source: C:\Users\user\Desktop\run0796.exe Code function: GetProcAddress,GetLocaleInfoW, 2_2_00007FFE01383AE0
Source: C:\Users\user\Desktop\run0796.exe Code function: EnterCriticalSection,EnumSystemLocalesW,LeaveCriticalSection, 2_2_00007FFE013E8FB8
Source: C:\Users\user\Desktop\run0796.exe Code function: EnumSystemLocalesW, 2_2_00007FFE013EAF64
Source: C:\Users\user\Desktop\run0796.exe Code function: GetPrimaryLen,EnumSystemLocalesW, 2_2_00007FFE013EAFC4
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\ucrtbase.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\Desktop\run0796.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\Desktop\run0796.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\_socket.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\Desktop\run0796.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\select.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F18A920 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF60F18A920
Source: C:\Users\user\Desktop\run0796.exe Code function: 0_2_00007FF60F1A4EB0 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 0_2_00007FF60F1A4EB0
Source: C:\Users\user\Desktop\run0796.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE1327622C listen, 2_2_00007FFE1327622C
Source: C:\Users\user\Desktop\run0796.exe Code function: 2_2_00007FFE132720F0 htons,htonl,bind,htons, 2_2_00007FFE132720F0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1530692 Sample: run0796.exe Startdate: 10/10/2024 Architecture: WINDOWS Score: 29 5 run0796.exe 53 2->5         started        file3 13 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 5->13 dropped 15 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 5->15 dropped 17 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 5->17 dropped 19 47 other files (none is malicious) 5->19 dropped 21 Found pyInstaller with non standard icon 5->21 9 run0796.exe 1 5->9         started        11 conhost.exe 5->11         started        signatures4 process5
No contacted IP infos